CASS 15: What is holding firms back from operational excellence?

The FCA’s new safeguarding regime comes into force in less than a month on 7 May 2026. Payment firms are grappling with the operational, cultural and governance changes required to support a comprehensive CASS framework. In this article, we outline core challenges firms are facing alongside our view as to how they can be met.

The FCA’s intention for CASS 15 is to strengthen consumer protection and market integrity within the payments industry. Although the FCA has been focusing on growth and innovation, safeguarding remains a priority, and the Regulator will act where they identify non-compliance.

Key challenges

Getting the basics right

CASS 15 rules introduce new concepts and requirements, but some firms face challenges in meeting existing expectations. 

Common struggles include:

• insufficient documentation evidencing effective controls

• a general lack of documentation for key governance decisions

• absent third-party due diligence records

Overcoming such struggles will continue to be important in the world of CASS 15. Helpfully, weaknesses in these areas are quick fixes that firms can implement to help ready themselves for the new regime. 

We recommend that firms:

• document their CASS controls alongside the risks each mitigates

• strengthen and formalise governance documentation standards by introducing a framework that includes MI packs, detailed minutes and written records of key safeguarding-related decisions

• embed a structured third-party due diligence process which includes appropriate templates and record-keeping protocol, covering initial and periodic reviews of third parties used for holding relevant funds/assets

An appropriate foundation for books and records

Firms will need to have improved and accurate books and records to prevent any material delays in identifying relevant funds. A pressing operational challenge is the absence of pertinent records that support this core objective of CASS 15.

Some firms have foundational issues, lacking, for example, serviceable records of client money inflows and outflows. Compliance with the rules in such cases is an impossibility without appropriate remediation. But even firms that have such records can nonetheless struggle to align with the rules. For example, some firms are keen to develop in-house processes for their reconciliations and record keeping, but they fail to consider the nuances of their business model and thus struggle to build something that facilitates compliance. Alternatively, they bend processes to fit with ‘how they have always done things.’ Neither is a route to compliance.

We recommend that firms:

• ensure their books and records capture all relevant data sources before honing their reconciliations – a smooth reconciliation is worthless if the underlying records are flawed

• complement their comprehensive records with a formal reconciliation framework that is firmly grounded in the requirements of CASS 15, such as those for reconciliation methods, sources and reconciliation points – be guided throughout by the rules, resisting the temptation to think you have a better way

• obtain third-party assurance on in-house processes for reconciliation and record keeping to ensure they meet regulatory standards and reflect your business model

Resourcing for regulatory returns and identifying the right data sources

The resourcing and data needs for monthly safeguarding returns will pose a challenge for many firms. This challenge will need to be met head-on. We expect the returns to be a key supervisory tool that the FCA uses for further engagement with firms.

Firms will struggle if they fail to understand the data sources that should feed the returns. And firms may find this area challenging on account of their reliance on manual spreadsheets for books, records and reconciliations.

It is critical that firms understand from the outset the data inputs required for completion of the returns and have a clear methodology for obtaining and compiling such data. Manual spreadsheets can also work for firms in this sphere, but the contingent operational risks need to be carefully managed. Indeed, the above-discussed importance of documenting controls in a risk-based manner is demonstrated here. The process for compiling the return should be clearly documented, have process owners for accountability and a clear audit trail for sign off.

Proactive breach identification

A significant challenge firms face is an inconsistent understanding of safeguarding breaches and the lack of a proactive approach to identifying breaches. Firms should be proactively identifying where they have not complied with specific requirements related to safeguarding and documenting this. In practice, firms often discover issues following audits or third-party reviews; such a reactive compliance culture inevitably causes delays in resolving breaches.

CASS 15 outlines the requirement to notify the FCA of material safeguarding breaches without delay and in line with the notification requirements in CASS 15.8.60, requiring firms to be equipped to identify these promptly. This is where training and the right support can enable firms to implement governance processes for identifying and resolving breaches and making timely regulatory notifications in good time.

Failure to shift to a proactive culture of breach identification can lead to firms being subject to increased regulatory scrutiny and action.  

We recommend firms shift their culture in this space by undertaking the following:

• safeguarding breach training for operational teams and senior managers

• introducing breach registers which support consistent documentation of breaches and materiality assessments

• formalising a breach notification policy which documents an escalation framework for breaches, materiality thresholds and notification triggers

• drafting a CASS 15 rule mapping document which enables firms to promptly identify where they have breached the FCA’s rules, requirements and guidance

How can Ocorian help you?

Our team has a variety of expertise, with many coming from audit, industry and regulatory backgrounds, leaving us well equipped to support you in this space.

We are available to support throughout this transitional period and beyond. 

We can support through:

• building processes and controls to meet the rules and requirements (and the broader spirit of the regime)
• conducting readiness reviews and testing by doing a deep dive into firms’ overall policy and governance arrangements
• identifying and providing key templates required for CASS 15 compliance
• preparing you for your first audit under the new rules and providing side-by-side support during your audit

Contacts

Samee Hussain
Chloe Arnold-Martin